Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7331

Ozone PKI improvements

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Security

    Description

      Ozone's internal Public Key Infrastructure and its related functionalities is incomplete, this new umbrella JIRA is created to collect and track missing pieces.
      What we miss today:

      • automatic rotation of certificates before expiration
      • automatic rotation of CA certificates before expiration
      • certificate revocation support
      • configurability
      • full admin CLI support for handling certificates
      • better test coverage
      • we have discrepancies in SCM HA due to the necessity of a primordial node
      • clear separation of concerns, we use the same certificate and keypair for multiple reasons

      Also as token signatures use the 2048 but RSA keypair generated for our internal certificates, we suffer a performance hit due to the costly RSA signing of tokens.

      See the attached detailed document about the current system, and the planned improvements for more details about the problems and proposed solutions.

      Attachments

        Issue Links

          Blocked

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7938 Remove primordial SCM dependency during SCM decommission

          • Major - Major loss of function.
          • Resolved
          duplicates

          Bug - A problem which impairs or prevents the functions of the product. HDDS-1194 Ozone Security Phase -2

          • Major - Major loss of function.
          • Resolved
          is blocked by

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7335 Certificate renewal and revocation related cleanup

          • Critical - Crashes, loss of data, severe memory leak.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7401 Cover the PKI system with docker based integration tests

          • Critical - Crashes, loss of data, severe memory leak.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7333 Implement support for certificate revocation

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7336 Improve PKI configurablity

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-9111 Phase II - Automated live rotation of CA certificates

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7391 Phase I - Automated live rotation of CA certificates in a cluster with established trust

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7332 Automatic certificate rotation before certificate expiration

          • Major - Major loss of function.
          • Resolved
          is related to

          New Feature - A new feature of the product, which has yet to be developed. HDDS-4 Implement security for Hadoop Distributed Storage Layer

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. HDDS-2823 SCM HA Support

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. HDDS-6030 Support for External Root CA

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-2731 Certificate Revocation Support for Ozone CA

          • Major - Major loss of function.
          • Resolved
          relates to

          Sub-task - The sub-task of the issue HDDS-8256 ozone admin cert list should provide JSON output option

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDDS-9061 Possible dead-lock in SCM initialization due to certificate operations.

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              pifta István Fajth
              pifta István Fajth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: